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ABSTRACT 

This  paper  discusses  the  upper  and  lower  bounds  on  the 
accuracy  of  the  time  synchronization  achieved  by  the  algorithms 
implemented  in  TEMPO,  a  distributed  clock  synchronizer  running 
on  Berkeley  UNIX  4.3BSD  systems.  We  show  that  the  accuracy  is 
a  function  of  the  the  network  transmission  latency,  and  depends 
linearly  upon  the  drift  rate  of  the  clocks  and  the  interval  between 
synchronizations.  Comparison  with  other  clock  synchronization 
algorithms  reveals  that  TEMPO  may  achieve  better  synchroniza¬ 
tion  accuracy  at  a  lower  cost. 

Introduction 

This  paper  discusses  the  upper  and  lower  bounds  on  the  accuracy  of  the 
time  synchronization  achieved  by  the  algorithms  implemented  in  TEMPO,  a 
distributed  clock  synchronizer  running  on  Berkeley  UNIX  4.3BSD  systems. 

TEMPO,  which  works  in  a  local  area  network,  consists  of  a  collection  of 
time  daemons  (one  per  machine)  and  is  based  on  a  master-slave  structure2,3. 


This  work  was  sponsored  by  the  Defense  Advanced  Research  Projects  Agency  (DoD), 
Arpa  Order  No.  4871  monitored  by  the  Naval  Electronics  Systems  Command  under 
contract  No.  N00039-84-C-0089,  and  by  the  CSELT  Corporation.  The  views  and 
conclusions  contained  in  this  document  are  those  of  the  authors  and  should  not  be 
interpreted  as  representing  official  policies,  either  expressed  or  implied,  of  the  De¬ 
fense  Research  Projects  Agency,  of  the  US  Government,  or  of  CSELT. 

UNIX  is  a  Trademark  of  AT&T  Bell  Laboratories. 

*  Author’s  current  address:  IBM  Zurich  Research  Laboratory,  Saumerstrasse  4, 
CH-8803  Rueschlikon,  Switzerland. 
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Figures  la  and  lb  sketch  the  way  TEMPO  works.  A  master  time  dae¬ 
mon  measures  the  time  difference  between  the  clock  of  the  machine  on 
which  it  is  running  and  those  of  all  other  machines.  The  master  computes 
the  network  time  as  the  average  of  the  times  provided  by  nonfaulty  clocks  . 
It  then  sends  to  each  slave  time  daemon  the  correction  that  should  be  per¬ 
formed  on  the  clock  of  its  machine.  Since  the  correction  can  be  negative,  in 
order  to  preserve  the  monotonicity  of  the  clocks’  time  functions,  TEMPO 
implements  it  by  slowing  down  (or  speeding  up)  the  clock  rates1.  This  pro¬ 
cess  is  repeated  periodically.  Because  the  correction  is  expressed  as  a  time 
difference  rather  than  an  absolute  time,  transmission  delays  do  not  interfere 
with  synchronization. 


When  a  machine  comes  up  and  joins  the  network,  it  starts  a  slave  time 
daemon,  which  will  ask  the  master  for  the  correct  time  and  will  reset  the 
machine’s  clock  before  any  user  activity  can  begin.  TEMPO  therefore  main¬ 
tains  a  single  network  time  in  spite  of  the  drift  of  clocks  away  from  each 
other. 


An  election  algorithm  that  will  elect  a  new  master  should  the  machine 
running  the  current  master  crash,  the  master  terminate  (for  example, 
because  of  a  run-time  error),  or  the  network  be  partitioned,  ensures  that 
TEMPO  provides  continuous,  and  therefore  reliable  service4.  However,  in 
the  following  discussion  we  will  assume  that  elections  do  not  occur,  as  we 
are  only  concerned  with  determining  the  accuracy  achieved  by  the  clock 
synchronization  algorithms. 


Definitions  and  General  Assumptions 

A  physical  clock  generates  an  approximation,  as  precise  as  possible,  of 
t,  the  universal  Galilean  time.  A  real-valued,  continuous,  and  everywhere 
derivable  function  C(t)  describes  its  behavior.  Let  p  be  the  absolute  value 
of  the  maximum  drift  rate  of  an  actual  clock  from  the  universal  time;  we 

have: 


1  -  p  < 


dC(t) 

dt 


<  1  +  p  . 


(1) 


Two  clocks  are  said  to  be  synchronized  at  time  t0  their  associated 
functions  have  the  same  value,  i.e.  if  C^it q)  =  C^(t q). 


$  TEMPO  considers  faulty  a  clock  whose  value  is  more  than  a  small  specified  in¬ 
terval  away  from  those  of  the  majority  of  the  clocks  belonging  to  the  machines  syn¬ 
chronized  by  the  same  master. 


The  Measurements 


Slave  1  Slave  2  Slave  3 

2:55  3:00  3:25 


The  Computation  of  the  Average 


Slave  1  Slave  2  \  Slave  3 

2:55  3:00  \  3:25 


Av  = 


0-10-5 


3 


Figure  la 
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The  Correction  of  the  Clocks 


Slave  1  Slave  2  Slave  3 

2:55  3:00  3:25 


Clocks  are  now  Synchronized 


Slave  1  Slave  2  Slave  3 

3:00  3:00  3:00 


Figure  lb 
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Let  R  be  a  constant.  Two  or  more  clocks  are  within  range  R  at  time  f0 
if  the  difference  between  any  two  of  them  is  bounded  by  R : 


CA(t  o)  —  CB(t0) 


<  R  . 


Lemma  1: 

For  t1>t(): 


(l-p)(t1-t0)  <  C(^)  -  C(t0)  <  (1  +  pK^-^o)  • 

Proof: 

Immediate  by  integrating  (1). 

Lemma  2: 

The  absolute  value  of  the  relative  drift  rate  of  any  two  clocks  satisfying  (1), 
is  at  most  2  p: 


d(CA(t)  -CB{t)) 
dt 


<  2p  . 


Proof: 

Let  us  first  assume  that  clock  CA  is  fast  and  clock  CB  is  slow.  From  (1)  we 
have: 


dCA(t) 

dt 


^  1  +  P  , 


dCB(t) 

dt 


1  -  p  . 


In  this  case, 


dCA{t)  dCB{t) 

dt  dt 


In  the  opposite  case,  in  which  clock  CA  is  slow  and  clock  CB  is  fast,  (1) 
yields: 


dCA{t)  dCB{t) 

dt  dt 


Lemma  2  follows. 

A  direct  consequence  of  Lemma  2  is  that,  if  two  clocks  are  synchronized 
at  time  £0,  at  any  later  time  tl  their  values  can  differ  at  most  by 
±  2 p(t1  -  tQ). 


The  Clock  Difference  Measurement  Algorithm 

Machine  A  timestamps  a  message  at  time  CA(t])  and  sends  it  to 
Machine  B,  which  timestamps  it  at  time  CgU2)  and  sends  it  back^.  Upon 


This  exchange  of  messages  is  implemented  in  TEMPO  using  the  TimeStamp 
and  TimeStcimpReply  messages  of  the  DARPA  Internet  Control  Message  Protocol 
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receipt  of  the  message,  Machine  A  reads  the  time  CA(f3).  Machine  A  can 
estimate  A AB(t),  the  difference  between  its  own  clock  and  the  clock  of 
Machine  B,  as 

CA(^)  +  CA(t3)  „  ^ 

2  t-'BU 2)  • 

As  indicated,  A^g  is  a  function  of  time,  but  we  assume  that  its  variation  in 
the  interval  £3  —  ^  is  so  small  that  we  can  write: 

^AB(h)  ~  AAg(£  1)  =  A ab  ■ 

Also,  notice  that  Aas  =  —A BA- 

Theorem  1: 

Let  TmAB  and  TmBA  be  the  minimal  possible  transmission  times  from  A  to  B 
and  from  B  to  A,  respectively^.  Let  us  fix  a  bound,  TM  >  2ma x(Tm  T  ) 

on  the  round-trip  time,  i.e.  CA(t3)  -  CA(tx)  <  TM.  Then,  the  maximum 
error  in  the  estimation  of  Aab  is: 

_Tm-  2min (TmA£,  TmJ 

e  _  - - -  >  0  .  (2) 

Proof: 

Let  T8ab  and  TSba  be  the  actual  transmission  times  from  A  to  B  and  vice 
versa.  We  have: 

TmAB  +  TmBA  -  TSab  +  TSba  <  Tm  , 

and  also: 

max(7’s,.)  =  Tm  -  .  ma x(TsJ  =Tm-  T„tt  (3) 

for  the  hypotheses. 

We  can  now  compute^: 

(ICMP)  °.  As  soon  as  the  associated  interrupt  of  the  network  interface  is  served, 
the  kernel  of  a  remote  machine  processes  a  TimeStamp  message  by  changing  its 
type  field  to  TimeStampReply,  writing  the  clock  value  in  the  message,  and  sending 
it  back  without  invoking  a  user  process.  This  implement  a  variant  of  an  echo  proto¬ 
col.  We  can  therefore  consider  that  the  remote  time  query  occurs  instantaneously  at 
the  remote  machine  at  time  f2- 

$  In  general  T 'mAB  and  TmBA  will  be  different,  as  in  the  case  of  a  ring  network 
where  the  information  flow  travels  in  the  same  direction.  However,  these  two  times 
can  also  be  different  in  a  bus  network  because,  for  example,  of  different  interrupt 
structures  of  the  two  machines. 

In  the  actual  implementation,  several  round-trip  messages  are  exchanged  and 
the  minimum  values  of  5^  and  are  used  in  the  computation  of  EAb-  This 
reduces  the  variance  of  the  transmission  times  in  the  two  directions  and  provides  a 
better  estimate  of  A Ab 


(4) 
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~  CB(t2)  _  CA(t i)  —  Aab  +  tSab  , 

^2  =  EA(t3)  —  CB(t2)  =  A AB  +  TSba  , 


and,  if  E ^  is  our  estimate  of  Aab: 

_  62  —  EA{t{)  +  CA(t 3) 

EAB  -  ' 


CB(*2)  —  AAB  + 


TsflA  “  rsAfl 


2  2  -o'-*-  2 

From  (3)  we  can  derive: 

-  (Tu  -  2TmJ  <  TSflA  -  TSab  <  (Tm  -  2 TmJ  . 


By  substituting  (5)  into  (4),  we  get: 
Tm  -  2  TmgA 


MB 


—  EAB  —  A AB  + 


-  2T 


mAH 


(5) 


(6) 


If  we  define: 


Tm  -  2rnin(Tm,n,  Tm,J 


^  0, 


since 


£  > 


V  "  271m4B 


and  e  5: 


n  _  971 

M  ^ 1  mBA 


for  the  definition  of  TM,  then  the  theorem  follows: 

EAb  ~  &ab  I  —  e • 


(7) 


If  the  estimate  EAB  is  used  to  synchronize  the  clock  of  Machine  B,  the 
two  machines’  clocks  are,  upon  synchronization,  within  range  e. 


Corollary  1: 

The  lower  bound  for  the  error  e  is: 


e  > 


m.\B 


-  T 


mBA 


Proof: 

Immediate  by  substituting  into  (2)  the  expression  for  TM. 

Corollary  2: 

The  measurement  algorithm  allows  a  machine  to  compute  the  clock 
difference  between  any  two  other  machines  with  maximum  error  2e. 

Proof: 

Let  us  suppose  that  machine  A  sends  clock  difference  measurement  mes¬ 
sages  to  any  two  machines,  for  instance  machines  B  and  C,  then: 

Aab  -  CA(t)  -  CB(t)  ,  EAB  =  Aab  ±  e  , 


It  follows: 
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&ac  ~  CA(f)  ~  cc(t)  ,  Eac  =  Aac  ±  e  , 

=  ^AC  ~  ^AB  -  EbC  -  &AC  ~  Bab  • 

^BC  =  ^AC  _  ^AB  -  2e  =  Abc  ±  2e  . 

The  Synchronization  Algorithm 

The  master,  using  the  clock  difference  measurement  algorithm,  com¬ 
putes  the  time  differences  between  its  clock  and  the  clocks  of  slave 
machines.  A  fault-tolerant  averaging  function  is  then  applied  to  these 
differences.  It  selects  the  largest  sets  of  clocks  that  do  not  differ  from  each 
other  more  than  a  small  quantity  y  and  averages  the  differences  of  these 
clocks.  For  instance,  in  the  example  of  Figures  la  and  lb,  assuming  that  y 
is  10  minutes,  the  fault-tolerant  function  selects  the  set  consisting  of  the 
clock  of  the  Master,  the  clock  of  Slave  1,  and  that  of  Slave  2.  This  averag¬ 
ing  function  prevents  malfunctioning  clocks  as  well  as  clocks  with  abnor¬ 
mally  large  drift  rates  from  adversely  affecting  other  clocks.  Notice,  how¬ 
ever,  that  the  synchronization  algorithm  produces  the  appropriate  correction 
value  for  every  clock.  Clocks  that  are  not  selected  by  the  fault-tolerant 
function  are  considered  faulty.  Last,  the  master  asks  each  slave  to  correct 
its  clock  by  a  quantity  equal  to  the  difference  between  the  average  value 
and  the  previously  measured  difference  between  the  clock  of  the  master  and 
that  of  the  slave.  This  process  is  repeated  every  T  seconds. 

For  TEMPO  to  be  reliable,  it  is  necessary  that  all  properly  functioning 
clocks  be  within  y  seconds  when  the  master  starts  a  synchronization  round. 
The  constant  y  is  therefore  chosen  as  a  function  of  the  clock  drift  rate;  the 
interval  between  synchronization  rounds,  T\  and  the  measurement  errors  as 
derived  in  Theorem  3  below. 

Theorem  2: 

If  the  master,  using  the  synchronization  algorithm  described  above  syn¬ 
chronizes  a  number  of  machines,  then  any  two  non-faulty  clocks  are,  once 
the  synchronization  is  performed,  within  range  4e. 

Proof: 

Let  Q  be  the  set  of  machines  selected  by  the  fault-tolerant  averaging  func¬ 
tion.  The  average  of  the  measurements  is  then: 

1  Yp  —  1  V  A  +  1QI  ~ 

\Q\£qaj  \Q\ 

where  we  have  assumed  that  the  clock  of  the  master  A  is  also  non-faulty^" 
and  Aaa  =  0  with  no  error  by  definition. 

$  This  is  not  a  necessary  assumption.  The  algorithm  and  the  derivations  will  con- 
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If  we  use  the  symbol  A  for  -r—-r  2  A Aj  in  order  to  simplify  the  notation, 

I**  I  JeQ 

we  can  rewrite  (8)  as: 


To! -  5  s  £' 


with  e’  =  e. 


The  correction  performed  on  the  clock  of  machine  K  is: 

ck  ~  ToT  2  Eaj  ~  Eak  ' 

1^1  JeQ 

from  which,  by  adding  the  quantity  &AK  —  A,  and  for  (7)  and  (9)  we  obtain: 


ck  +  A ak  ~  A  - 


in  I  2^aj  “A  +  &ak  ~  Eak  -  E’  +  e  ■ 

1^1  JeQ 


Let  us  represent  with  A'BC  the  difference  between  the  clocks  of 
machines  B  and  C  after  the  correction  is  made: 

A ’bc  -  (Aac  +  cc)  —  (A ab  +  cb)  • 


By  adding  and  subtracting  A  we  can  write: 

A BC  ~  i^AC  +  cc  -A)  -  (Aab  +  cB  -A) , 

and  also: 

A'bc  -  Cc  +  Aac  _  A  +  A  -  cB  -  A ab  —  2e'  +  2e  =  4e 
which  completes  the  proof. 

The  following  theorem  summarizes  the  previous  results: 

Theorem  3: 

If  a  machine  measures  the  A’s  for  a  set  of  other  machines  and  synchronizes 
them  every  T  seconds,  then,  at  any  time,  all  non-faulty  clocks  are  within 
range  4e  +  2pT.  > 

Proof: 

The  first  item,  4e,  as  per  Theorem  2,  accounts  for  the  inaccuracy  of  syn¬ 
chronization  after  the  clocks  have  been  reset.  The  second,  as  per  Lemma  2, 
accounts  for  the  maximum  drift  of  any  two  clocks  during  the  time  between 
two  subsequent  synchronizations. 


tinue  to  be  valid  whether  or  not  the  master’s  clock  is  selected  by  the  fault-tolerant 
averaging  function.  Refer,  however,  to  the  next  section  of  this  paper  for  a  brief  dis¬ 
cussion  of  the  types  of  faults  that  TEMPO  can  tolerate. 
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Discussion 

It  is  important  to  notice  that  in  the  derivation  of  the  bounds  on  the 
time  accuracy  we  have  made  no  assumption  whatsoever  about  the  statistical 
distribution  of  the  transmission  times  between  two  machines,  nor  have  we 
assumed  that  these  distributions  are  the  same  in  the  two  communication 
directions. 


It  should  also  be  noted  that  the  requirements  on  the  maximum  round- 
trip  time  Tm  can  be  verified  by  the  master,  in  the  notation  used  above,  by 
computing  C4U3)  —  CA(t{).  Even  though  messages  can  be  arbitrarily 
delayed,  the  master  is  always  able  to  reject  measurements  that  do  not 
satisfy  the  conditions  of  Theorem  1. 

In  our  implementation  of  TEMPO  for  the  Ethernet  local  area  network, 
we  have  chosen  a  value  of  20  milliseconds  for  TM.  Although  the  Digital 
Equipment  VAX  Hardware  Handbook  states  that  p  can  be  as  high  as  10"^, 
we  have  verified,  using  a  high-resolution  frequency  meter,  that  the  clocks  of 
the  VAX’s  used  in  our  experiments  display  drift  rates  smaller  than  2  parts 
in  10^.  Since  the  minimum  transmission  delay  from  machine  to  machine 
can  be  estimated  to  be  5  milliseconds  (including  kernel  protocol  handling 
and  the  scheduling  delays  of  the  master  process),  and  since  TEMPO  syn¬ 
chronizes  the  clocks  every  4  minutes,  the  maximum  error  in  Theorem  3  is 
30  milliseconds. 


Let  us  call  eab  the  actual  error  in  the  measurement  of  the  clock 
difference  between  machines  A  and  B.  From  (6)  we  have:  —  e  <  eab  <  +e. 
Therefore,  the  actual  quantity  that  corresponds  to  e'  in  (9)  is,  for  (8), 


1 

IQI 


2  eAJ  that  is  the  average  of  the  actual  errors  of  the  measurements 
JeQ 


between  the  master  A  and  the  other  machines  in  the  set  Q.  As  such,  by  the 
Strong  Law  of  Large  Numbers,  this  quantity  converges  in  probability  to  the 
mean  of  the  random  variable  that  models  the  measurement  errors.  Under 
the  condition  of  identically  distributed  transmission  times  in  the  two  com¬ 
munication  directions,  which  is  satisfied  in  the  case  of  the  Ethernet^,  this 
mean,  as  can  be  recognized  in  (6),  is  zero.  While  according  to  Theorem  3  the 
first  component  of  the  global  error  can  be  as  large  as  4e,  the  algebraic  mani¬ 
pulations  in  the  proof  of  Theorem  2  show  that  it  can  be  separated  into  two 
parts,  one  of  which,  2e',  for  what  we  have  just  seen,  should  be  very  small. 


In  measurements  taken  in  our  environment,  where  the  time  daemons 
synchronized  the  clocks  of  about  15  machines,  we  rarely  found  the  time 


:  See  also  footnote  to  Theorem  1 . 
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difference  between  clocks  to  be  larger  than  25  milliseconds,  with  the  mean 
between  18  and  20  milliseconds.  Since  the  drift  rate  of  the  clocks  makes 
them  diverge  at  most  10  milliseconds  in  4  minutes,  we  estimated  that  the 
synchronization  inaccuracies  due  to  the  error  described  in  Theorem  2 
amount  to  about  10  milliseconds  on  the  average. 

As  previously  observed,  a  clock  is  considered  faulty  if  it  is  not  selected 
by  the  fault-tolerant  averaging  function.  Therefore,  great  attention  must  be 
paid  to  the  appropriate  choice  for  the  value  of  y.  If  y  is  too  small,  only  a 
few  clocks  may  be  selected;  if  it  is  too  large,  malfunctioning  clocks  can 
reduce  the  precision  of  the  synchronized  time.  In  both  cases,  the  reliability 
of  TEMPO  decreases.  Since  our  measurements  showed  that  most  clocks  do 
not  diverge  more  than  20  milliseconds  from  each  other,  we  set  y  equal  to  20 
milliseconds. 

The  fault-tolerant  averaging  function  may  reject  a  clock  measurement 
for  any  of  three  reasons.  First,  there  may  be  a  hardware  malfunction. 
Second,  a  clock  difference  measurement  may  follow  a  clock  adjustment  with 
an  above-average  error.  Finally,  in  an  improperly  set-up  machine,  a  series 
of  high-priority  interrupts  may  prevent  the  operating  system  from  servicing 
lower-priority  timer  clock  interrupts,  causing  that  machine’s  clock  to  slow 
down.  Given  that  TEMPO  was  designed  for  an  environment  where  Byzan¬ 
tine  faults  are  highly  improbable,  the  synchronization  algorithm  can 
N  —  1 

tolerate  -  faults.  However,  it  should  be  noted  that  the  clock  of  the 

master,  which  is  not  considered  more  important  than  any  other  clock  by  the 
fault-tolerant  averaging  function,  may  cause  the  clock  difference  measure¬ 
ment  algorithm  to  fail  if  it  is  double-faced. 

Comparison  with  Previous  Work 

Although  Tempo  is  a  distributed  program,  it  uses  a  centralized 
approach  in  directing  the  synchronization  activities.  Fault-tolerance  is 
achieved  by  not  giving  a  privileged  role  to  the  master’s  clock  in  the  syn¬ 
chronization  algorithm  and  by  providing  an  election  algorithm  that  elects  a 
new  master  should  the  old  one  terminate.  Our  approach  therefore  contrasts 
with  other  existing  algorithms  that  adopt  a  fully  distributed  approach  to 
fault-tolerance. 

It  is  difficult  to  compare  the  various  clock  synchronization  algorithms 
because,  as  observed  by  Lamport  and  Melliar-Smith7,  different  algorithms 
require  different  methods  of  reading  clocks  and  each  method  generates  a 
different  error.  In  addition,  the  various  authors  describe  the  bounds  on 
their  algorithms  using  parameters  not  always  easily  convertible  to  those  of 
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our  system  of  variables.  However,  in  general,  the  errors  in  clock  synchroni¬ 
zation,  as  in  Theorem  3,  depend  on  the  uncertainty  in  the  elapsed  time 
between  the  generation  and  the  receipt  of  a  message  and  on  the  time 
between  synchronization  rounds. 

In  the  remainder  of  this  section,  in  order  to  compare  the  bounds  on  the 
accuracy  of  different  algorithms,  we  make  the  following  three  additional 
assumptions:  1)  there  are  N  =  3F  +  1  machines,  where  F  is  the  number  of 
machines  with  faulty  clocks;  2)  the  transmission  time  between  any  two 
machines  is  equally  distributed;  and  3)  the  message  delivery  time  is  in  the 
range  [t  —  tj,  r-f  tj],  where  r  is  the  median  delay  time  and  tj  is  the  uncer¬ 
tainty.  Also,  notice  that  our  purpose  is  to  point  out  the  main  advantages  of 
our  algorithm  over  some  alternative  clock  synchronization  methods  rather 
than  to  comprehensively  review  the  literature  in  this  area. 

Lundelius  and  Lynch^  describe  an  algorithm  that  executes  in  a  series  of 
rounds;  each  round  is  started  when  a  clock  reaches  a  certain  predefined 
value.  When  this  happens,  a  machine  broadcasts  that  value  to  all  other 
machines.  Meanwhile,  it  collects  within  a  particular  bounded  amount  of 
time  measured  on  its  own  clock,  messages  from  other  machines.  Then,  each 
machine  computes  the  correction  for  its  clock  using  a  fault-tolerant  averag¬ 
ing  function.  The  bound  analysis  shows  that  clocks  can  be  synchronized  as 
closely  as  4-q  +  4pT,  but  the  authors  suggest  that,  with  a  slight  modification 
of  their  algorithm,  they  can  reduce  the  second  term  to  2 pT . 

The  algorithm  designed  by  Halpern  et  al.5  is  also  based  on  the  periodic 
broadcasting  of  clock  values.  In  their  method  however,  a  machine  that 
receives  a  message  with  a  value  that  its  clock  has  not  reached  yet,  updates 
the  clock  to  that  value  and  broadcast  the  corresponding  message.  This  algo¬ 
rithm  generates  an  error  of  t  +  tj-1-2 pT. 

The  three  algorithms  introduced  by  Lamport  and  Melliar-Smith6,  CON, 
COM,  and  CSM,  are  based  on  broadcast  as  well  and  achieve  the  following 

accuracy  respectively:  2N-q+NpT,  2(iV  +  1)tj  +  p7\  and  -+17  rj  +  pT. 

3 

Although  Lamport  and  Melliar-Smith  do  not  give  the  synchronization 
error  in  a  form  comparable  to  ours  —they  analyze  how  closely  in  real  time 
clocks  reach  the  same  value  whereas  we  measure  how  close  clocks  are  at  the 
same  real  time  —  ,  the  two  quantities  appear  to  be  similar. 

While  it  is  true  that  most  communication  protocols  are  designed  to  pro¬ 
vide  an  upper  bound  on  the  communication  time,  perhaps  by  abnormally 
terminating  the  transmission  after  a  number  of  retries,  it  is  also  true  that 
the  resulting  variance  in  the  transmission  times  can  be  much  larger  than 
the  average  transmission  time.  A  unique  feature  of  our  algorithm  is  that  it 
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can  bound  the  round-trip  time,  despite  the  high  variance  in  transmission 
times,  by  rejecting  those  measurements  that  do  not  satisfy  the  requirements 
of  Theorem  1.  In  fact,  under  the  assumptions  introduced  above,  if  we  call 
Tm  the  minimum  transmission  time,  we  have: 

T  -  V  =  Tm  >  T  +  V  =  TM  ~  Tm  I 

and 


By  comparing  the  expression  for  73  with  (2),  we  can  rewrite  the  result  of 
Theorem  3  as: 

4tj  2pT  . 

Although  the  formula  for  the  accuracy  of  our  algorithm  is  the  same  as 
the  one  for  the  algorithm  of  Lundelius,  our  73  is  much  lower  than  theirs. 
Using  for  the  parameters  the  values  we  have  introduced  earlier  in  this  sec¬ 
tion,  we  obtain  r  =  10  milliseconds  and  77  =  5  milliseconds.  In  the  case  of 
other  algorithms,  tj  is  proportional  to  the  standard  deviation  of  the 
transmission  times,  which  for  the  Ethernet  can  be  rather  large  when  mes¬ 
sages  collide.  When  clocks  are  synchronized  —or  almost  synchronized—  the 
simultaneous  broadcasting  of  messages  that  occurs  in  the  algorithms,  may 
cause  numerous  collisions,  increasing  both  the  median  transmission  time  r 
and  the  uncertainty  tj.  Therefore  in  an  Ethernet  environment,  we  would 
expect  that  our  algorithm  achieve  significantly  better  synchronization  accu¬ 
racy.  In  a  non-Ethernet  environment,  for  instance  a  ring  or  point-to-point 
network,  we  would  still  expect  that  tj  of  the  other  algorithms  would  be 
larger  than  our  tj,  though  the  difference  between  the  two  may  be  smaller. 

Algorithms  COM  and  CSM  were  developed  in  the  framework  of  Byzan¬ 
tine  clock  synchronization  and  both  require  about  NF  +  1  messages.  Algo¬ 
rithm  CON  and  the  algorithms  of  Lundelius  and  Halpern  require  in  the 
worst  case  about  N'2  messages.  TEMPO,  in  contrast  with  the  other  algo¬ 
rithms,  employs  for  each  synchronization  round  only  a  linear  number  of 
messages.  However,  unlike  TEMPO  which  needs  an  election  mechanism  to 
ensure  that  a  new  master  be  elected  in  case  the  current  one  crashes  or  the 
network  partitions,  those  algorithms  are  inherently  fault-tolerant.  Our 
choice  is  motivated  by  the  fact  that  in  our  computing  environment  the  kind 
of  faults  that  require  the  intervention  of  the  election  procedure  are  rare.  We 
have  followed  a  design  principle8  that  calls  for  simplicity  in  the  most  com¬ 
mon  situations  and  confines  complexity  and  high  costs  with  unusual  condi¬ 
tions. 
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Conclusions 

We  have  discussed  the  upper  and  lower  bounds  on  the  accuracy 
achieved  by  the  clock  synchronization  algorithms  of  TEMPO  which  is  distri¬ 
buted  with  Berkeley  UNIX  4.3BSD.  TEMPO  keeps  the  clocks  of  VAX  com¬ 
puters  in  a  local  area  network  synchronized  with  an  accuracy  comparable  to 
the  resolution  of  single  machine  clocks.  Comparison  with  other  clock  syn¬ 
chronization  algorithms  shows  that  TEMPO,  in  an  environment  with  no 
Byzantine  faults,  may  achieve  better  synchronization  at  a  lower  cost. 
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